7.12. Procedure – Signing certificates on-the-fly


At a number of places, PSM can generate the server certificates on the fly. This technique is used for example in SSL-encrypted RDP sessions, RDP sessions that use Network Level Authentication (CredSSP), or SSH connections that use X.509-based authentication. To create a signing CA, complete the following steps:


Note the following points about using signing CAs:

  • Signing CAs require a CA certificate permitted to sign certificates, and also the corresponding private key.

  • These CAs cannot be used to sign audit trails. For details on how to configure the certificates used to sign audit trails, see Procedure 7.10.4, Digitally signing audit trails.

  • The version of the generated certificates will be the same as the version of the signing CA.

  • PSM ignores the CRL (from the crlDistributionPoints extension) of the signing CA when generating certificates. If you want to include a CRL in the generated certificates, you must set it manually. See the following steps for details.


  1. Figure 7.19. Policies > Signing CAs — Creating Signing CAs

    Policies > Signing CAs — Creating Signing CAs

    Navigate to Policies > Signing CAs and click .

  2. Enter a name for the CA into the topmost field.

  3. To upload a CA certificate and its private key, complete the following steps. Skip this step if you want to generate a CA on PSM.

    1. Click in the CA X.509 certificate field and upload the certificate of the certificate authority. Alternatively, you can upload a certificate chain, where one member of the chain is the CA that will sign the certificates.

    2. Click in the CA private key field and upload the private key of the certificate authority that will sign the certificates.

    3. Optional step: Enter the URL of the Certificate Revocation List (CRL) that you generated using your Certificate Authority in your Public Key Infrastructure (PKI) solution. The URL pointing to this CRL will be included in the certificate. This is the CRL information that will be shown to clients connecting to PSM.

      Note that the CRL list is not generated by the internal CA of PSM. The list must come from your own PKI solution.

    4. Click .

  4. To generate a CA certificate on PSM, complete the following steps:

    1. Enter the Common Name for the CA certificate into the Common Name field. This name will be visible in the Issued By field of the certificates signed by this CA.

    2. Fill the other fields as required, then click Generate private key and certificate.

    3. Click .